The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

“A key requirement of the GDPR is gathering user consent for collecting personal data, which is an example of where an open specification can be used effectively,” he told Computer Weekly.

Currently, the most extreme use of personal data online is by advertising technology companies to identify which browsers to target with specific ads.

This is the reason the Kantara Initiative – which creates specifications where none exist to meet market needs – chose consent as the basis for one of its specifications.

The Kantara Initiative is a global consortium with private and public sector members dedicated to improving standardisation and best practice relating to digital identity and personal data.

Advertising technology firms typically use cookie matching to select which browser ads are delivered, which means cookies are inspected and those with the right profile are selected.

“But this use of personal data will no longer be allowed by the GDPR,” said Wallis, which has prompted some ad tech firms to lobby Brussels to recognise advertising as a legitimate purpose for gathering data.

Technical solutions

Others, however, have looked to find a technical solution to enable them to comply with the new regulations – but at the same time ensure a “frictionless” user experience.

“These forward-looking ad tech firms are working with Kantara and others in the industry to further develop the group’s consent receipt specification and find practical, workable and frictionless ways of including it in the flow of ad technology,” said Wallis.

A consent receipt is defined as a record of consent used by a data controller as their authority to collect, use and disclose a data subject’s information.

The Kantara Initiative started working on the specification in 2015, in light of the fact the GDPR was under development and consent was known to be a key element of compliance.

“Essentially, we are talking about a file that holds details of consent, such as the purpose of collecting data and how it will be used, that is provided to both the data controller and the data subject,” said Wallis.

“The consent receipt also includes links to existing privacy notices and policies, and relevant information about how that information will be used or disclosed, and can be stored by both parties.”

Read more about GDPR

The consent receipt enables web users to agree to ads from particular brands, which means they will be served ads only from brands they have consented to, while all others will be blocked.

“This is a much better situation than receiving large numbers of inappropriate or unwanted ads, or using an ad blocker where all ads are blocked. It enables a sort of halfway house,” said Wallis.

“Open standards provide a way for ad tech to save itself from itself because it cannot continue in the current form and proprietary standards would not be interoperable – and would therefore not provide a good user experience because everyone would be doing different and separate things,” he said

Starting from an open standard, the Kantara Initiative believes it is the most logical because they are by nature interoperable.

However, under the GDPR, consent alone is not considered to provide a legitimate basis for collecting and processing personal information, and once again the consent receipt can help, according to Wallis.

“A contract is considered to be a legitimate basis, and so ad tech firms could use the fields in the consent receipt, together with a field that describes the value exchange, to create a smart contract between the data controller and data subject,” he said.

Complying with consent

Unlike guidance on consent, Wallis said the consent receipt puts a tool in the hand of ad tech firms that enables them begin process of complying with consent.

“This is a tool. A piece of code that actually proves that you are gathering consent, that you have a record of consent, and both parties have a copy,” he said.

Because it is simply a piece of code, Wallis said the consent receipt is extremely flexible. Ad tech firms or other users can simply modify the fields for any purpose.

“And the interoperability is important because GDPR has a requirement for portability, so if identity management and access control based on open standards is ubiquitous, data subjects will be able to take their data out of service A and put it into service B, which could include all their consent receipts.

“In this way, ad tech firms will be able to comply with consent requirements, contract requirements, and portability requirements with relative ease, while satisfying the business requirement of providing a positive user experience,” he said.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy